General Data Protection Regulation

General Data Protection Regulation summary

With hundreds of pages describing legal concepts and requirements, the existence of a General Data Protection Regulation summary appears to present a much-needed overview and first approach to key aspects of the law.

The European General Data Protection Regulation was put into effect in 2018, becoming the most strict data and security law around the world. Its profound transformation surrounding companies’ requirements for data processing and handling have meant many organizations (even the biggest ones) have struggled to find a cohesive strategy to comply with it. A look at the biggest GDPR penalties proves this statement, with Meta topping the top two biggest fines in 2023, with a record 1.2 billion euros and 390 million euros as reported by EQS.

Through this General Data Protection Regulation summary, we aim at providing a synthesis of the GDPR, which has proven to be a daunting legal document that has had compliance departments burdened for years. 

Additionally, we take a look at some of the key aspects that are solved through data protection software that specifically targets the European General Data Protection Regulation.

What is the General Data Protection Regulation?

The General Data Protection Regulation (GDPR) is a comprehensive data protection law enacted by the European Union on May 25, 2018. Designed to harmonize data privacy laws across Europe, its aim is to protect and empower all EU citizens' data privacy. In order to do so, the document presents a profound reshaping of the way organizations approach data privacy within the EU.

Key aspects of the General Data Protection Regulation: a summary

Scope and application of the European General Data Protection Regulation

The GDPR applies to all organizations targeting or collecting personal data of EU citizens, regardless of their location. 

Some basic definitions

Personal data

Under the GDPR, personal data is defined as any information relating to an individual who can be directly or indirectly identified through it.

Examples of personal data according to the GDPR include: 

  • Personal details: name, address (postal and email), telephone number, national identification number (e.g., social security number, passport number)
  • Web data: IP address, cookie identifiers, RFID tags
  • Biometric data: fingerprints, facial recognition data, iris scans, voice recognition data
  • Health information: medical history, health records, genetic data
  • Financial information: bank account details, credit card information, transaction histories
  • Employment information: job title, employment history, performance evaluations
  • Location data: GPS data, mobile phone location data
  • Behavioral data: purchase history, browsing history, clickstream data
  • Cultural identity: ethnicity, religious beliefs, political opinions
  • Contact information: email addresses, social media profiles

Data processing 

The GDPR defines data processing as “any action performed on data, whether automated or manual”. That includes actions such as collecting, recording, organizing, structuring, storing, using, or erasing data.

Data subject 

Citizens whose data is processed are data subjects. For instance, a company’s clients or website visitors.

Data controller 

The person in charge of deciding how personal data will be processed and who (potentially) also handles it. Within an organization, both owners and employees are data controllers.

Data processor 

Sometimes, third parties are in charge of processing personal data on behalf of a data controller (for instance, a cloud data service). In this case, specific rules apply. 

Data protection officer

A designated individual responsible for overseeing an organization's data protection strategy and ensuring compliance with GDPR requirements. The DPO is only necessary for certain organizations, such as those that process or store large amounts of personal data or those that process special categories of data.

Data protection

Protection and accountability principles

Article 5.1-2 within the European General Data Protection Regulation defines the key principles relating to processing personal data. Among the key considerations here are:

  • Processing must be a lawful, fair, and transparent process to the data subject
  • There’s a purpose limitation in data processing, meaning organizations must only process data for the legitimate purposes that were outlined explicitly to the data subject when their data was collected
  • Organizations should aim at data minimization, that is, collecting and processing only as much data as absolutely necessary for the purposes specified
  • Stored personal data must be accurate and up to date
  • Personally identifying data must only be stored when necessary for the specified purpose
  • Processing must be done to ensure security, integrity, and confidentiality
  • Data controllers are required to be able to actively demonstrate GDPR compliance. 

Some actions that typically indicate compliance include implementing and using GDPR software (as we explain below), designating data protection responsibilities within teams, maintaining detailed documentation of collected data or having data processing agreement contracts in place with third parties. 

While these are some examples, the specific measures for each particular organization can only be assigned on a case-by-case scenario.

Data processing requirements for organizations

Listed in Article 6 are the scenarios for legally processing personal data. The text foresees the following cases when data processing is considered legal:

  • When the company has the subject’s consent to process their data. Consent must be “freely given, specific, informed and unambiguous”, and very specific rules surround this step, including:
  • Requests should be presented in “clear and plain language” and should be “clearly distinguishable from the other matters” 
  • Consent can be withdrawn by data subjects 
  • Children under 13 must have parents’ permission to give their consent 
  • Documentary evidence of consent must be kept by organizations
  • When processing is required to enter into a contract with the subject
  • In order to comply with a legal obligation
  • To save somebody’s life
  • To perform a task in the public interest
  • When there’s a legitimate interest

The rights of citizens

The European General Data Protection Regulation aims to provide citizens with more control about their data. As such, it thus inaugurated a series of rights surrounding data, including:

  • Right to access their personal data and information about how it is being processed
  • Right to rectification in case inaccurate personal data is collected
  • Right to erasure and right to be forgotten, so that individuals can request the deletion of their personal data in certain circumstances
  • Right to restrict processing of their data under certain conditions
  • Right to data portability, meaning data subjects can receive their personal data in a structured, commonly used, and machine-readable format in order to transmit that data to another controller
  • Right to object to the processing of their data in certain situations.
  • Rights related to automated decision-making, including data profiling
Data security

Data security measures

Any General Data Protection Regulation summary wouldn’t be complete without mentioning the data security measures that organizations must put into place. 

In this respect, the legal text describes how organizations are expected to implement “appropriate technical and organizational measures.”

This open-ended statement leaves organizations to consider what technical measures must be enforced considering their actual needs. Additionally, the legal text also presents data protection by design and by default as the necessary paradigms to inform any security strategy.

Notifications and penalties

The European General Data Protection Regulation anticipates organizations  must notify the relevant supervisory authority of a data breach within 72 hours of becoming aware of it, if the breach is likely to result in a risk to the rights and freedoms of individuals. 

At the same time, data subjects must be informed without undue delay if the breach is likely to result in a high risk to their rights and freedoms.

Additionally, non-compliance can result in substantial fines, with maximum quantities being up to 4% of annual global turnover or €20 million (whichever is greater).

Tools to comply with the European General Data Protection Regulation

The implementation of data protection software stands out as a key measure to build compliance with the European General Data Protection Regulation.

These computing solutions are designed to protect the security and privacy of data stored within computer systems, even in challenging scenarios such as production data environments.

Such is the case of icaria GDPR, a platform designed for automating GDPR compliance through encryption, hashing or pseudonymization that grants total control over data and the adequate management of data subject’s rights. 

With more than 26.5 million customers whose data has been effectively managed, icaria GDPR stands out as a key tool to help organizations ensure data privacy and GDPR compliance through automating tools.

Want to learn more about GDPR compliance for your organization beyond this General Data Protection Regulation summary? Ready to discover the benefits of automating GDPR compliance through specifically-designed tools? 

At icaria Technology, we can help you. Get in touch with our team and learn how.